18 January 2021

Last week it was announced that tens of thousands of records have been lost from police databases in the UK after they were accidently flagged for deletion.

The error, which was reported in The Times, saw fingerprint, DNA and arrest history records wiped.

The newspaper reported that: “Sources said that more than 150,000 arrest records were accidentally deleted during a weekly “weeding” session to expunge data.”

But while the data did not belong to that of criminal or dangerous people (rather, those who were arrested and released without charge), this error could have disastrous effects as the information will not be flagged in the future.

The issue has been called a “glitch” and a “blunder”, but the fact is that it is a serious problem and reinforces the need for improving how data is managed and governed.

An individual’s record on the Police National Computer (PNC) should be reta​ined until they are 100 years of age, even if they were released without charge.

Automation in records management ensures that policy-based actions such as retention and disposition are automatically applied. Those who are responsible for the records are notified when the retention period has expired and can then make decisions on the next stage of its lifecycle.

Automation ensures less data governance risk, including that the data is stored appropriately and not kept longer than required or, in this case, disposed of before the compulsory retention period.

To caveat, the PNC may have had a fully automated process, hence some reports it was a “software bug”, but it is likely someone hit the button to proceed. Either way, a control failed.

Typically, when data is under-retained the impact is felt by the business when someone within the organisation needs to reference or use the data.

Sometimes the organisation does not notice immediately and there is a period of time for investigation to identify where the challenge has occurred – and what the impacts are likely to be.

That time is critical to the recovery process and for reporting breaches, as has happened here.

If there are multiple platforms within an organisation, many with different levels of capability for policy application and auditing of the controls in place over the data, this presents significant challenges.

Our software AI.DATALIFT provides the umbrella of control monitoring across all of these platforms with the ability to raise alerts when data is under-retained, whether due to human error or automated processes.

It holds a temporary copy of the deleted data for a fixed period of time, in a location only accessible by authorised personnel.

After the fixed time period has elapsed, the file is irrevocably deleted. Up to that point in time, the authorised person can reinstate the under-retained/deleted file back to where it should be.

This means that the person who is responsible for ensuring data governance is given the opportunity to effectively override any file deletions on the source system, whether the deletion was initiated by a person or an automated routine.

Or to put it another way, had an additional level of ‘policing’ over the data been in place, the PNC would have had the visibility of the issue earlier, awareness of the data and the people affected, and been able to recover faster.

And, of course, been able to provide a reassuring message in response to the breach.

For more information on AI.DATALIFT and its enhanced data governance capabilities, contact us on info@automated-intelligence.com